[Extensions] WebRequest SecurityInfo in web sockets

This CL adds logic to proxy web socket to obtain ssl info from there.

This follows previous CL -
https://chromium-review.googlesource.com/c/chromium/src/+/7166297/1

Proposal: w3c/webextensions#899
Bug: 458045659
Change-Id: Id0773cee906ee5c145faae642b5de71f40e087f3
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/7165511
Reviewed-by: Finnur Thorarinsson <finnur@chromium.org>
Commit-Queue: Vlad Krot <vkrot@google.com>
Cr-Commit-Position: refs/heads/main@{#1553911}

Author: vkrot-cell

chrome/browser/extensions/api/web_request/web_request_apitest.cc

@@ -8390,6 +8390,8 @@ IN_PROC_BROWSER_TEST_F(ExtensionWebRequestApiTest, SecurityInfo_Secure) {
                       embedded_test_server()->GetURL("/simple.html"));
 }
 
+// Tests that fetch('http://') results in web request listener
+// getting SecurityInfo with state='insecure' and all other fields not set.
 IN_PROC_BROWSER_TEST_F(ExtensionWebRequestApiTest, SecurityInfo_Insecure) {
   ASSERT_TRUE(StartEmbeddedTestServer());
 
@@ -8421,6 +8423,43 @@ IN_PROC_BROWSER_TEST_F(SecurityInfoBrokenWebRequestApiTest,
                       embedded_test_server()->GetURL("/simple.html"));
 }
 
+IN_PROC_BROWSER_TEST_F(ExtensionWebRequestApiTest,
+                       SecurityInfo_WebSocket_Secure) {
+  ASSERT_TRUE(StartEmbeddedTestServer());
+
+  InitWebSocketHttpsServer();
+  ASSERT_TRUE(StartWebSocketServer());
+
+  RunSecurityInfoTest("secure", /*use_web_socket=*/true,
+                      GetWebSocketServer().GetCertificate(),
+                      GetWebSocketServer().GetURL("/echo-with-no-extension"));
+}
+
+// Tests that new Websocket('ws://') results in web request listener
+// getting SecurityInfo with state='insecure' and all other fields not set.
+IN_PROC_BROWSER_TEST_F(ExtensionWebRequestApiTest,
+                       SecurityInfo_WebSocket_Insecure) {
+  ASSERT_TRUE(StartEmbeddedTestServer());
+  ASSERT_TRUE(StartWebSocketServer());
+
+  RunSecurityInfoInsecureTest(
+      /*use_web_socket=*/true,
+      GetWebSocketServer().GetURL("/echo-with-no-extension"));
+}
+
+IN_PROC_BROWSER_TEST_F(SecurityInfoBrokenWebRequestApiTest,
+                       SecurityInfo_WebSocket_Broken) {
+  ASSERT_TRUE(StartEmbeddedTestServer());
+
+  InitWebSocketHttpsServer(
+      net::test_server::EmbeddedTestServer::ServerCertificate::CERT_EXPIRED);
+  ASSERT_TRUE(StartWebSocketServer());
+
+  RunSecurityInfoTest("broken", /*use_web_socket=*/true,
+                      GetWebSocketServer().GetCertificate(),
+                      GetWebSocketServer().GetURL("/echo-with-no-extension"));
+}
+
 #endif  // BUILDFLAG(ENABLE_EXTENSIONS)
 
 }  // namespace extensions

chrome/browser/extensions/extension_apitest.cc

@@ -268,6 +268,16 @@ net::EmbeddedTestServer& ExtensionApiTest::GetWebSocketServer() {
   return *websocket_server_;
 }
 
+void ExtensionApiTest::InitWebSocketHttpsServer(
+    net::test_server::EmbeddedTestServer::ServerCertificate
+        server_certificate) {
+  CHECK(!websocket_server_);
+  websocket_server_ = std::make_unique<net::test_server::EmbeddedTestServer>(
+      net::test_server::EmbeddedTestServer::Type::TYPE_HTTPS);
+  websocket_server_->SetSSLConfig(server_certificate);
+  net::test_server::InstallDefaultWebSocketHandlers(websocket_server_.get());
+}
+
 bool ExtensionApiTest::StartWebSocketServer(
     bool enable_basic_auth) {
   // Initialize `websocket_server_`, if needed.

chrome/browser/extensions/extension_apitest.h

@@ -126,6 +126,13 @@ class ExtensionApiTest : public ExtensionBrowserTest {
   // the server before it has started.
   net::test_server::EmbeddedTestServer& GetWebSocketServer();
 
+  // Initializes web_socket that is returned by `GetWebSocketServer` function
+  // to serve endpoints via secure wss protocol.
+  void InitWebSocketHttpsServer(
+      net::test_server::EmbeddedTestServer::ServerCertificate
+          server_certificate =
+              net::test_server::EmbeddedTestServer::ServerCertificate::CERT_OK);
+
   // Start the test WebSocket server, and store details of its state. Those
   // details will be available to javascript tests using
   // chrome.test.getConfig(). Enable HTTP basic authentication if needed.

extensions/browser/api/web_request/web_request_api.cc

@@ -630,10 +630,13 @@ void WebRequestAPI::ProxyWebSocket(
   const bool has_extra_headers =
       WebRequestEventRouter::Get(browser_context)
           ->HasAnyExtraHeadersListener(browser_context);
+  const bool has_security_info =
+      WebRequestEventRouter::Get(browser_context)
+          ->HasAnySecurityInfoListener(browser_context);
 
   WebRequestProxyingWebSocket::StartProxying(
       std::move(factory), url, site_for_cookies, user_agent,
-      std::move(handshake_client), has_extra_headers,
+      std::move(handshake_client), has_extra_headers, has_security_info,
       frame->GetProcess()->GetDeprecatedID(), frame->GetRoutingID(),
       &request_id_generator_, frame->GetLastCommittedOrigin(),
       frame->GetProcess()->GetBrowserContext(), proxies_.get());

extensions/browser/api/web_request/web_request_proxying_websocket.cc

@@ -63,6 +63,7 @@ WebRequestProxyingWebSocket::WebRequestProxyingWebSocket(
     mojo::PendingRemote<network::mojom::WebSocketHandshakeClient>
         handshake_client,
     bool has_extra_headers,
+    bool has_security_info,
     int process_id,
     int render_frame_id,
     content::BrowserContext* browser_context,
@@ -74,6 +75,7 @@ WebRequestProxyingWebSocket::WebRequestProxyingWebSocket(
       request_headers_(request.headers),
       response_(network::mojom::URLResponseHead::New()),
       has_extra_headers_(has_extra_headers),
+      has_security_info_(has_security_info),
       info_(WebRequestInfoInitParams(
           request_id_generator->Generate(IPC::mojom::kRoutingIdNone, 0),
           process_id,
@@ -114,7 +116,7 @@ void WebRequestProxyingWebSocket::Start() {
   // OnBeforeSendHeaders and OnSendHeaders will be handled there. Otherwise,
   // send these events before the request starts.
   base::RepeatingCallback<void(int)> continuation;
-  if (has_extra_headers_) {
+  if (has_extra_headers_ || has_security_info_) {
     continuation = base::BindRepeating(
         &WebRequestProxyingWebSocket::ContinueToStartRequest,
         weak_factory_.GetWeakPtr());
@@ -124,6 +126,9 @@ void WebRequestProxyingWebSocket::Start() {
         weak_factory_.GetWeakPtr());
   }
 
+  WebRequestEventRouter::Get(browser_context_)
+      ->HasSecurityInfoListenerForRequest(browser_context_, &info_);
+
   // TODO(yhirano): Consider having throttling here (probably with aligned with
   // WebRequestProxyingURLLoaderFactory).
   bool should_collapse_initiator = false;
@@ -205,7 +210,7 @@ void WebRequestProxyingWebSocket::OnConnectionEstablished(
 
   response_->remote_endpoint = handshake_response_->remote_endpoint;
 
-  // response_->headers will be set in OnBeforeSendHeaders if
+  // response_->headers will be set in OnHeadersReceived if
   // |receiver_as_header_client_| is set.
   if (receiver_as_header_client_.is_bound()) {
     ContinueToCompleted();
@@ -298,7 +303,14 @@ void WebRequestProxyingWebSocket::OnHeadersReceived(
     OnHeadersReceivedCallback callback) {
   DCHECK(receiver_as_header_client_.is_bound());
 
+  if (has_security_info_ &&
+      WebRequestEventRouter::Get(browser_context_)
+          ->HasSecurityInfoListenerForRequest(browser_context_, &info_)) {
+    info_.AddSslInfo(ssl_info);
+  }
+
   on_headers_received_callback_ = std::move(callback);
+
   response_->headers = base::MakeRefCounted<net::HttpResponseHeaders>(headers);
 
   ContinueToHeadersReceived();
@@ -317,6 +329,7 @@ void WebRequestProxyingWebSocket::StartProxying(
     mojo::PendingRemote<network::mojom::WebSocketHandshakeClient>
         handshake_client,
     bool has_extra_headers,
+    bool has_security_info,
     int process_id,
     int render_frame_id,
     WebRequestAPI::RequestIDGenerator* request_id_generator,
@@ -334,8 +347,8 @@ void WebRequestProxyingWebSocket::StartProxying(
 
   auto proxy = std::make_unique<WebRequestProxyingWebSocket>(
       std::move(factory), request, std::move(handshake_client),
-      has_extra_headers, process_id, render_frame_id, browser_context,
-      request_id_generator, proxies);
+      has_extra_headers, has_security_info, process_id, render_frame_id,
+      browser_context, request_id_generator, proxies);
 
   auto* raw_proxy = proxy.get();
   proxies->AddProxy(std::move(proxy));
@@ -420,7 +433,7 @@ void WebRequestProxyingWebSocket::ContinueToStartRequest(int error_code) {
 
   mojo::PendingRemote<network::mojom::TrustedHeaderClient>
       trusted_header_client = mojo::NullRemote();
-  if (has_extra_headers_) {
+  if (has_extra_headers_ || has_security_info_) {
     trusted_header_client =
         receiver_as_header_client_.BindNewPipeAndPassRemote();
   }

extensions/browser/api/web_request/web_request_proxying_websocket.h

@@ -53,6 +53,7 @@ class WebRequestProxyingWebSocket
       mojo::PendingRemote<network::mojom::WebSocketHandshakeClient>
           handshake_client,
       bool has_extra_headers,
+      bool has_security_info,
       int process_id,
       int render_frame_id,
       content::BrowserContext* browser_context,
@@ -103,6 +104,7 @@ class WebRequestProxyingWebSocket
       mojo::PendingRemote<network::mojom::WebSocketHandshakeClient>
           handshake_client,
       bool has_extra_headers,
+      bool has_security_info,
       int process_id,
       int render_frame_id,
       WebRequestAPI::RequestIDGenerator* request_id_generator,
@@ -160,6 +162,7 @@ class WebRequestProxyingWebSocket
   GURL redirect_url_;
   bool is_done_ = false;
   bool has_extra_headers_;
+  bool has_security_info_;
   mojo::PendingRemote<network::mojom::WebSocket> websocket_;
   mojo::PendingReceiver<network::mojom::WebSocketClient> client_receiver_;
   network::mojom::WebSocketHandshakeResponsePtr handshake_response_ = nullptr;